By Nicola Geary
While the nature and extent of due diligence in a private equity transaction is deal-specific, increasing globalization and use of electronic data storage and dissemination practices have created new liabilities including:
all of which are being considered with increasing frequency when performing due diligence on a potential investment or acquisition target.
Anti-Corruption Due Diligence
Recent years have seen an increase in the enforcement of anti-corruption legislation. As such, acquirers must pay increasing attention to whether a target company is in compliance with the Corruption of Foreign Public Officials Act (Canada) (CFPOA)1, Foreign Corrupt Practices Act (US)2 and similar anti-corruption legislation in other jurisdictions. An acquirer must determine whether a target’s activities are acceptable in the home country’s legislation, as home legislation may cover the activities of local companies, citizens and permanent residents even when operating abroad. For example, the CFPOA provides that the Canadian government may assert jurisdiction where a transaction has a “real and substantial” connection to Canada, and over Canadian companies, citizens and residents, regardless of where actions take place. An acquirer must also consider whether the target is in compliance with anti-corruption legislation in the target’s jurisdiction.
Anti-corruption due diligence is by its nature challenging, as violations are often hidden from view. Companies wishing to conduct adequate anti-corruption due diligence need to be creative in looking for red flags. Companies should review the target’s anti-corruption and anti-bribery policies and procedures and assess the robustness of compliance controls to prevent and detect corrupt foreign practices. In addition, it may be necessary to engage local third-party advisors, to review information relating to the approval, recording and monitoring of gifts, travel and entertainment of agents and consultants, to interview key personnel, to contact local government agencies and to review internal/external reviews, audits and examinations.
With the number of high-profile cyber attacks (Target, Ashley Madison, Bell) increasing, regulators, boards of directors and purchasers alike are turning their focus to cybersecurity issues. Cyberattacks can create significant liability for any target, including smaller targets and targets in industries not typically associated with technology. Most companies store records of customers, payment records, employment records, private correspondence - and often much more - electronically, and any of this material can be compromised by malicious third party attackers, which can lead to private suits, regulatory fines (including under the relatively new Digital Privacy Act (Canada) and valuation issues. An acquirer will typically acquire all such records (and attack risks) when acquiring a target.
While it is impossible to expect zero cybersecurity risk during a PE acquisition, this risk can be better understood through thorough due diligence, and mitigated through purchase price adjustments, representations and warranties and/or indemnities. When conducting cyber due diligence, an acquirer should review any previous breaches or cyberattacks to determine how and whether these breaches were addressed or resolved, what additional security measures have been implemented and how the target reacted to the breach. The acquirer should determine whether the target’s data security systems, cybersecurity governance and cyber risk protocols meet with industry standards and whether a target has cyber incident response and monitoring systems in place. It should also determine the target’s exposure based on current security protocols. Where the exposure is large, an acquirer may also wish to review cyber insurance policy coverage and engage experts to assess the extent of liabilities in more detail.
Privacy Law Diligence
In addition to conducting focussed due diligence to assess the target’s protection of its data, both the target and the potential buyer will want to ensure that the due diligence itself does not cause the target to be in breach of its obligations. The Personal Information Protection and Electronic Documents Act, (PIPEDA)3 applies to the collection, use and disclosure of personal information, meaning “information about an identifiable individual” for federal businesses across provincial and national borders as well as for businesses in provinces without substantially similar privacy legislation. PIPEDA applies to commercial activity, meaning it previously applied to personal information collected, used or disclosed during the due diligence process. However, in 2015 the Digital Privacy Act4 amended PIPEDA to include a business transactions exemption. Organizations are now permitted to use and disclose personal information without consent in the context of a business transaction, where necessary, to determine whether to proceed with a transaction, however there are a number of requirements on both the target and the buyer. Both parties must agree in writing to limit use and disclosure to that required for purposes related to the proposed transaction, to protect the personal information with appropriate security safeguards and to return or destroy personal information if a transaction does not proceed. In the event that the transaction does proceed, notice must be provided to the owners of the personal information.